Domain controllers 2016 to 2022 upgrade

Hi SAGA,

You can definitely enable TLS 1.0 and 1.1 in Windows Server 2022 via the registry to support your legacy applications during the migration phase. While the operating system defaults to the much more secure TLS 1.2 and 1.3 protocols, the underlying architecture still includes the older protocols for backward compatibility. You will need to open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols to make this change. Inside that path, you must create keys for TLS 1.0 and TLS 1.1, and within each of those, create both a Client and Server subkey. Setting the DisabledByDefault value to 0 and the Enabled value to 1 within those specific keys will turn the older protocols back on for your legacy apps.

Your assumption about SMB 1.0 is completely accurate. It is fully removed and disabled by default in Windows Server 2022 because of its well-documented and severe security vulnerabilities. While it is technically possible to reinstall it through Server Manager as a Windows Feature, doing so on a domain controller creates a massive security risk for your entire Active Directory environment and is strongly discouraged.

To verify which TLS versions are currently active on your server, there is no single graphical interface or dedicated native command provided by Windows. Instead, you can use the Get-ItemProperty cmdlet in PowerShell to query the exact SCHANNEL registry path mentioned earlier. If you run a query against that path and see no entries for TLS 1.0 or 1.1, it simply means the server is utilizing the secure operating system defaults and those older protocols remain safely turned off.

Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

VP

Windows Server 2022 supports TLS 1.0 and 1.1, but these legacy protocols are being disabled by default in more recent Windows builds and are considered insecure.

1. TLS 1.0/1.1 support on Windows Server 2022

• TLS 1.0 and 1.1 are deprecated but can still be re‑enabled on supported Windows versions, including Server 2022, via registry configuration.
• To override the system default and enable TLS 1.0 or 1.1, set the Enabled DWORD to 1 under the SCHANNEL protocol keys, for example:
  • TLS 1.0 client and server:

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
            "Enabled" = dword:00000001
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
            "Enabled" = dword:00000001
    

  • TLS 1.1 client and server similarly under Protocols\TLS 1.1\Client and ...\Server.
• This re‑enables TLS 1.0/1.1 system‑wide for SCHANNEL on Server 2022, so legacy apps depending on these protocols can continue to connect while the migration is completed.
• Direct registry editing is risky; Group Policy or other management tools are recommended where possible.

2. Security and fallback behavior

• Microsoft recommends removing dependencies on TLS 1.0 and 1.1 and using TLS 1.2 or higher wherever possible.
• Legacy TLS may be removed entirely in future releases, so this should be treated as a temporary compatibility measure.

3. SMB 1.0 on Windows Server 2022

• The provided context does not explicitly describe SMB 1.0 behavior on Windows Server 2022, so no statement can be made here based on the available information.

4. Checking which TLS versions are enabled

• The context does not provide a specific command‑line tool or command to list enabled TLS protocol versions.
• Enabled protocols are controlled via SCHANNEL registry keys and, for WinHTTP/WinINet scenarios, via Internet Options and Group Policy:
  • Internet Options → Advanced tab → scroll to the TLS settings to see which protocols are enabled for WinINet/Internet Explorer–based components.
  • Group Policy: Local Computer Policy → Computer Configuration or User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Advanced Page → Turn off encryption support. This policy can enforce which TLS versions are used for those components.
• Important registry paths related to TLS behavior for WinHTTP include:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\winhttp\ForceDefaultSecureProtocols
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\winhttp\EnableInsecureTlsFallback These control default secure protocols and whether fallback to TLS 1.0/1.1 is allowed for WinHTTP‑based applications.

In summary, Windows Server 2022 can still support TLS 1.0 and 1.1 if explicitly re‑enabled via SCHANNEL registry settings, but this should be used only as a temporary compatibility step while applications are migrated to TLS 1.2 or higher.

References:

• TLS 1.0 and TLS 1.1 deprecation in Windows
• KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022
• Resources for deprecated features
• Enable support for TLS 1.2 in your environment for Microsoft Entra TLS 1.1 and 1.0 deprecation